From 9476b9bf21842abc1b805eb86276eada59f8c05c Mon Sep 17 00:00:00 2001
From: "ferenc.argay" <ferenc.argay@nokia.com>
Date: Fri, 27 Sep 2019 14:53:54 +0200
Subject: [PATCH] REC-417 Disable root login by changing root shell

Change-Id: I6ebfa359694b2ec5c3162fd85a7d7a960a79c248
---
 roles/ops-hardening/tasks/main.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/roles/ops-hardening/tasks/main.yaml b/roles/ops-hardening/tasks/main.yaml
index d56e893..71218a0 100644
--- a/roles/ops-hardening/tasks/main.yaml
+++ b/roles/ops-hardening/tasks/main.yaml
@@ -156,6 +156,16 @@
 - name: "Direct root Logins Not Allowed"
   shell: echo > /etc/securetty
 
+- name: Change 'root' shell to nologin
+  user:
+    name: root
+    shell: /sbin/nologin
+
+- name: Lock 'root' password
+  user:
+    name: root
+    password: '!!'
+
 #
 # Configure IPv6
 #
-- 
2.16.6